Generalising shift ciphers Affine cipher keys Affine ciphers: for M = C = Zn, define • c = Ek (m) = (a · m + b) mod n 0 0 Not all keys in × are usable: Must choose k such that E is • m = Dk (c) = (a · c + b ) mod n Zn Zn k injective (reversible). where k is ha; bi and ha0; b0i, respecitively. Example: h2; 1i is not a good key in Z26: Example: In Z26, • (2 · 13 + 1) mod 26 = 1 • E3;11(“h”) = “G” since • (2 · 0 + 1) mod 26 = 1 (3 · 7 + 11) mod 26 = (21 + 11) mod 26 = 32 mod 26 = 6 Can’t decrypt the ciphertext1! • D9;5(“G”) = “h” since (9 · 6 + 5) mod 26 = (54 + 5) mod 26 = 59 mod 26 = 7 So which keys work? Exercise: is this a proper crypto system? Give the 5-tuple. Hint: consider the keys h2; 1i or h4; 7i 1 2 Modular arithmetic: repetition Modular arithmetic cont a ≡ b mod n if a − b = k · n for some k (integers) x is the multiplicative inverse of a modulo n, written a−1, if • e.g. 17 ≡ 7 mod 5 a · x ≡ 1 mod n. • e.g3 · 5 ≡ 1 mod 14, so3 −1 is5 mod 14. Write a mod n = r if a = n · k + r • only exists if gcd(a; n) = 1, and is then unique mod n. (r is the (positive) residue of a=n) a mod n = r implies a ≡ r mod n ∗ The reduced set of residues modulo n, written Zn, is fx 2 − f0g : gcd(x; n) = 1g, (i.e. the relatively prime numbers). Let be an operation +; −; ·. Then Zn (a b) mod n = ((a mod n) (b mod n)) mod n ∗ Euler’s totient function '(n) is the cardinality of Zn. ∗ • e.g. Z24 = f1; 5; 7; 11; 13; 17; 19; 23g (note: not 3), and thus (Zn; f+; −; ·}) is a commutative ring with the usual commutative, associative, distributive laws. (Note: no division.) '(24) = 8. 3 4 Back to Affine ciphers Affine cipher keys To choose a key s.t. encryption is injective, am + b ≡ c mod n, i.e. How many keys are usable for an affine cipher? am ≡ c − b mod n must have one solution for each m. • As x varies over Zn and gcd(a; n) = 1, (ax + b) mod n will have n different values, so ax ≡ b mod n has a unique solution for every value of b • if gcd(a; n) > 1, then e.g. am ≡ 0 mod n has two solutions m = 0 and m = n= gcd(a; n) (e.g. gcd(4; 26) = 2, solution • The number of values of a s.t. gcd(a; n) = 1 is '(n) (by def) m = 13) So the number of keys ha; bi of an affine cipher is n · '(n). • if gcd(a; n) = 1, then suppose there are two solutions d and Example: an affine cipher on Z26 has 26 · 12 = 312 keys. d 0: then • ad ≡ ad 0 mod n, so a(d − d 0) ≡ 0 mod n so nja(d − d 0), Note: one is not useful: h1; 0i. • since gcd(a; n) = 1, then nj(d − d 0) and d ≡ d 0 mod n, • thus the solution is unique! (modulo n) 5 6 Affine cipher decryption Cryptanalysis of affine ciphers So which are the decryption keys? Note that since gcd(a; n) = 1, there is a multiplicative inverse a−1 How can we break affine ciphers? (mod n). c = am + b mod n (by def of encryption) Chosen plaintext: Find a and b easily by Ek (0) = b and am + b ≡ c mod n, i.e. Ek (1) = a + b mod n. am ≡ c − b mod n Known plaintext: given plaintexts x; y and corresponding a−1am ≡ a−1(c − b) mod n ciphertexts, Ek (x) − Ek (y) = (a · (x − y)) mod n; if −1 −1 1m ≡ a c − a b mod n x − y has an inverse mod n, then So given an encryption key ha; bi the decryption key is −1 a = (x − y) (Ek (x) − Ek (y)) mod n, and ha−1; −a−1bi. b = (Ek (x) − a · x) mod n. Example: In Z26, the encryption key h3; 11i has the decryption key Ciphertext only: frequency analysis. h9; 5i since3 −1 = 9 and −(9 · 11) = −99 ≡ 5 mod 26. Later: how to compute multiplicative inverses. 7 8 Transposition ciphers Strengthening ciphers Railfence: Try combining several keys: product ciphers t i t s • c = E (E (··· (E (m)) ··· )) = E 0 (m) h s s o a o e kn kn−1 k1 k • m = D (D (··· (D (c)) ··· )) = D0 (c) i n r k1 k2 kn k 0 0 Cipher: TITSHSSOAOEINR If Ek = Ek0 for some single k , the cipher is idempotent. Example: shift cipher. Columnar transposition: Exercise: is an affine cipher also idempotent? Key: 3 1 4 2 Yes: Ea;b ◦ Ec;d = Eac;ad+b Plain: t h i s ? Two crypto systems S1 and S2 commute if S1S2 = S2S1, i.e. i s n o t a r o E 2 (E 1 (m)) = E 1 (E 2 (m)) k2 k1 k1 k2 s e f w Cipher: HSAESOOWTITSINRF A crypto system S is idempotent if S = SS Breaking: by digram/trigram analysis. A function f is an involution if f (f (x)) = x. 9 10 Product ciphers If S1 and S2 are idempotent and commute, then their product is also idempotent. • i.e. no strength is won • e.g. shift ciphers So for a product cipher to increase cryptographic strength, its parts must not be idempotent. But if they are not, strength can be gained! Note: while involution ciphers are very undesirable, the composition of two involutions is not necessarily an involution. Uses: coming up next. 11.